Mongo @Query vulnerable to SQL/No-SQL Injection?

0 投票
最新提问 用户: (140 分)

I'm developing a Spring MVC web based app and I'm using MongoDB with MongoRepository interface for persistence. In some of my queries to the DB, I don't use the MongoRepository (or CrudRepository) reflection method naming like findByEmail(string emal);, I simply invoke my own @Query execution. For example these two methods:

public ObjectInstantiation findById(String id);

@Query(value = "{'dni._id' : ?0}", delete = true)
public void deleteById(String id);

The thing is these methods are used when looking for users in my DB. For example, when somebody tries to log in, I would findById() the username he or she inserted and check if the result is null.

I was reading this article

As I can see from OWASP my code is Indeed vulnerable to SQL/No-SQL injection attacks but I don't see any way of preventing it.

I'm not an cybersecurity expert by any means.

How is my code vulnerable? How could I prevent or sanitize my code?

Thank you very much.

P.S: I'm not sure if I should ask in Information Security since I believe this is more of a programming question.

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。